Wednesday, July 25, 2007

On July 20, 2007 I began my first day of work at The University of Alabama at Birmingham as the Director of Research in Computer Forensics. The position came about as a result of one fundamental issue that we have been working on together between the chair of Computer & Information Sciences and the chair of Justice Sciences: How can we better equip CyberCrime Investigators to do their job? The first part of our answer was to encourage more Academic partnership, where students would seek a "Certificate in Computer Forensics" by studying courses from both departments. We called this initiative "Training Digital Detectives for the 21st Century". The second portion was to begin hosting more training on CyberCrime Issues, such as The Birmingham Conference on Phishing on March 13-15, 2007, and the Identity Theft Summit held June 10-11, 2007. The third part was to create my position, and to begin focusing our joint research efforts on topics that would provide better techniques, tools, and training for CyberCrime Investigators.

The FBI, the Homeland Security Department and other federal agencies are underequipped and lack enough properly trained employees to combat cybercrime, according to a recent report by the Government Accountability Office.

GAO found that staffing was one of four major challenges to addressing cybercrime.

The publication being referred to was GAO-07-705: CYBERCRIME: Public and Private Entities Face Challenges in Addressing Cyber Threats. This document, from David Pownder's group at the Government Accountability Office, says "The annual loss due to computer crime was estimated to be $67.2 Billion for US organizations" with the majority of that, $49.3 billion, being related to Identity Theft, and $1 billion associated specifically with phishing. That same opening letter pointed out that in addition, we know "Chinese military strategists write openly about exploiting the vulnerabilities" used by our military computing infrastructure, and that "terrorist organizations have used cybercrime to raise money to fund their activities". In 2006, it is estimated that there were 9.9 Million US consumers who suffered from Identity Theft.

Its our economy that is at risk. In the reports background it lists that "150 million US citizens" use the Internet, and that in 2006, "total nontravel-related spending on the Internet was estimated to be $102 Billion". And spam, according to a Ferris Research report cited by GAO, has a "global cost of $100 billion worldwide, including $35 billion in the United States".

As president of the Birmingham InfraGard, and a recipient of the 2006 "Partnership Award" from the IC3 and NCFTA, I was pleased to see the report listing "Key Partnerships Established to Address CyberCrime":

Working in a borderless environment with laws of multiple jurisdictions

Implementing information security practices and raising awareness

Reporting CyberCrime

When surveys say 9.9 Million Americans lost $49 Billion to Identity Theft last year, its astounding that the Internet Crime & Complaint Center only had $180 Million in loss reports filed from 260,000 consumers. Some of the reasons GAO gave for this under-reporting were:

Financial Market Impacts - (will my stock tank if I tell you I was hacked?)

Lack of law enforcement action - (will the cops do anything? do they know what to do?)

LE Analytical and Technical Capabilities

From the report:

Federal and state law enforcement organizations face challenges in having the appropriate number of skilled investigators, forensic examiners, and prosecutors.

...

officials, once an investigator or examiner specializes in cybercrime, it can take up to 12 months for those individuals to become proficient enough to fully manage their own investigations.

Some of the key challenges mentioned include the great possibility that a trained cybercrime investigator will be lured to the private sector by the much higher salaries their skills may demand in that arena. Within the FBI, the policy of rotating new agents to one of the 15 largest offices within 3 years often means that an agent recruited for their cyber abilities is assigned to a non-cyber position in their new office! (This happened to one of our favorite cyber agents in Birmingham, who is now in a non-cyber post in Miami!) These same rotations also mean that agents brought in to fill these new cyber-vacancies may have little or no cyber training. Even senior agents (supervisory agents) are limited to serving a 5 year term in their role if they wish to seek career advancement.

Keeping Up to Date with Technology and Techniques

The report also expresses the concern that cybercrime is evolving at a rate which requires new equipment and tools "and agencies' need for them does not always fall into the typical federal replacement cycle". Some of the training gaps are being met creatively within agencies by having centralized talent pools, such as the DOD Cyber Crime Center (DC3.mil), FBI Cyber Action Teams, and the Secret Service training programs for federal, state, and local officials (such as the new Center just opened in Hoover, Alabama!) These are all great, but often the resources are still too limited for the scope. These are supplemented by "public/private partnerships, like the FBI’s Infragard and National Cyber Forensics Training Alliance and the Secret Service’s Electronic Crimes Task Forces, [which] provide ways to share expertise between law enforcement, the private sector, and academia."

Borderless Crime

Key challenge in this area are:

techniques that "make it difficult to trace the cybercriminals to their physical location".

"the multiplicity of laws and procedures that govern in the various nations and states" - such as the fact that not all states or nations have antispam or antispyware laws.

"Cybercrime can occur without physical proximity to the victim, and thus a cybercriminal can operate without victimizing a citizen in the jurisdiction or federal judicial district in which the crime originated." - It is difficult to commit local resources to investigate crimes that have no local victims!

Raising Awareness

"Criminals prey on people's ignorance". Ignorance of vulnerabilities. Of how to detect phishing. Of how to report CyberCrime.

In response to this report, the FBI mentioned that Director Mueller has established five "career paths" for agents, one of which will be a Cyber track. This will allow cyber agents to remain where there skills can be made most effective.

The Secret Service also responded, stating that their Electronic Crimes Special Agent Program (ECSAP) will have 770 trained and active agents by the end of FY 2007. Their response also mentioned their 24 Electronic Crimes Task Forces, which "combine the resources of state and local police, as well as academia and private industry", and their importance in maintaining a continuity of investigative ability even as new ECSAP agents face their 4th year rotations.

Monday, July 23, 2007

Its time to rally the troops on the political front once again. Those of you who know me know that I believe we have primarily not a lack of laws but a lack of manpower and interest in enforcing those laws. Is it against the law to send spam with false headers in the United States? Yes. It is actively investigated and prosecuted? No. Is it against the law to steal someone's identity in the United States? Yes. Is it actively investigated and prosecuted? No. Unless you can show enormous losses.

So, on the one hand, I would like to see adequate resources applied to enforcing the laws that we currently have on the books. On the other hand, when I see a great Bill is introduced in the House or the Senate, I'd like to see it supported.

The CyberSecurity Enhancement Act of 2007 is worth supporting. It goes beyond our current CyberCrime Laws and attempts to bring in the aspects of Organized Crime and Conspiracy that are behind the individual acts we see everyday.

Someone registered a new domain in Hong Kong and used a bot-infected computer to host a phishing website. Hardly interesting from a prosecutorial perspective. But if there were laws on the books that let investigators more easily go after the Criminal Conspiracy that encouraged this action to be committed hundreds of times this year by a related group of co-conspirators, that would make these smaller acts more likely to be prosecuted. Assistant US Attorney Erez Liebermann, the chief of the New Jersey CHIPS unit (Computer Hacking and Intellectual Property Section), was recently interviewed by Information Week where he mentioned this Bill. In the July 20th article, he says that by adding CyberCrime to the RICO statutes, as this Act would do, criminal penalties for these activities would be enhanced.

Are you familiar with the "CyberSecurity Enhancement Act of 2007"? Most of us aren't.

HR 2290 was introduced May 14th by Adam Schiff, a Democrat from California. (GovTrack categorizes him a "Radical Democrat". I like Radical Democrats love for technology and for their desire to help the poor. I can work with anyone. Schiff co-sponsored National Human Trafficking Awareness Day, and a bill to make trade in illegal nuclear weapons a Crime Against Humanity. Of course he also introduced a Bill to express No Confidence in our Attorney General, so bi-partisan, this guy ain't.)

This bill is currently sitting with the House Committee on the Judiciary, along with 43 other proposed amendments to Title 18 (where most of our CyberCrime Laws are outlined).

One of those other versions is a Republican sponsored Bill with almost the same name, introduced by Republican Lamar Smith, HR 836, introduced back in February.

A key phrase which was present in both the Republican and the Democratic version of the Bill would modify the penalties so that they applied both to the successful criminal, and the criminal who "conspires to" or "attempts" to commit certain CyberCrimes.

Another huge part of the act addresses the concern I mention at the top of this post. Section 10 of this act would give an additional $10 Million EACH to the Secret Service, the FBI, and the Attorney General for the Criminal Division of the DOJ, specifically for fighting CyberCrime. If for no other reason than this, I would strongly encourage your support of this bill!

I'm pleased to see that one of my two Congressman, Artur Davis, is listed among the co-sponsors of HR 2290. (I claim the one in the zip code where I work, and the one in the zip code where I live both represent me. I had the pleasure of escorting my son's orchestra on a Capitol Tour as guests of Mr. Davis' office last month!) I'm also pleased to see that Ohio Republican Steven Chabot and California Republican Daniel Lungren, 2 of the 9 Republican co-sponsors of Smith's earlier bill, and both members of the sub-committee on Crime, Terrorism, and Homeland Security, have joined as part of the 6 Republicans who make a total of 19 co-sponsors of HR 2290.

The fact that the members of this committee, both Democrats and Republicans, are signed on as co-sponsors to this Bill encourages me that it might make it out of committee!

I would encourage folks to read the Bill, and if you agree that it should be law, please encourage your Representative to lend his voice of support to the Bill.

The Bill is currently sitting in a sub-committee of the House Judiciary Committee, called the "Crime, Terrorism, and Homeland Security Committee". Especially if you are in Michigan, where the Honorable John Conyers, the Chairman of the Judiciary, is from, or in Virginia, where the Honorable Robert C. Scott, the Chairman of the sub-committee, is from, it would be very useful to hear your voice in this matter.

Please take a minute to review the Bill, members of the Subcommittee, and your own Congressmen's contact information, and determine what the right course of action is for yourself.

Wednesday, July 18, 2007

In a press release issued July 13 (or 13 luglio 2007, if you're in Roma), the Commanding General of the Financial Guard of Milan announced that they had arrested 26 phishers. 18 Italian citizens, and 8 foreigners.

Here's my Babylon 6 assisted translation of the press release:

----------

The Provincial headquarters of the Guardia di Finanza in Milan has, in fact, executed 26 orders of custody to members of two criminal associations responsible for a series of fraud perpetrated on hundreds of users of home banking services, by technical means better known under the name of "phishing".

The operation has identified 18 Italian citizens and 8 Eastern European foreigners, who are regular residents in our country, which are exploiting the home banking personal access credentials to customers of Poste Italiane bank, sent fraudulently in response to randomly dispatched e-mails apparently sent by their financial institution.

Hackers from the group, during questioning, have confessed to having sent the e-mail messages, which appeared to originate from Poste Italiane, by using stolen login credentials for electronic mailboxes of ISPs operating in Italy but with servers abroad. They subsequently logged in to the accounts during the next 30 days and defrauded them out, by transferring the sums on cards specially created by other members of the Organization.

The means of offense were identified thanks to a tight cooperative investigation between the "fraud management" team of Poste Italiane and the officers of the Guardia di Finanza, which have monitored in real time the activations of the cards, initially in the territory of Milan and then on the whole national territory.

The orders of custody have been carried out in the provinces of Milan, Brescia, Novara, Como, Florence, Parma, Forlì and Pescara.

In the course of the searches they seized computers, removable media archives, magnetic cards used to set up credit cards and debit cards, hundreds of credit cards and prepaid cards of various banking institutions, CARDS one, false documents and mobile phones last generation.

------------------

This type of investigation is possible every day in the United States. What is necessary to make it a reality? The belief by the management in charge of the manpower of various investigative and prosecutorial agencies that "small crimes" are worth investigating -- because they lead to Big Criminals!

Our partnership was the cover article in a recent edition of UAB's magazine. The article, called Bugs in the System, discussed how CIS and JS were working together to create Alabama's first graduate certificate in Computer Forensics. The problem that we are facing is that CyberCrime professionals are either Justice Science majors, with a background in law enforcement but very little computer training, or Computer Science professionals, with a background in technology, but very little knowledge of law enforcement and legal practice. The new certification will be producing graduates who have a combination of knowledge in these areas BEFORE they enter the workforce.

My position, as Director of Research, will be seeking to develop new techniques, tools, and technologies for those who practice CyberCrime investigation, in the legal system, in traditional security companies, and in corporate and government security.